app/notes/20160918-2258.md
That Time I Was a Whitehat Hacker
that-time-i-was-a-whitehat-hacker
1474239511
I've been trying to find a replacement for github streaks after they removed
them a few months ago. I was pretty happy to find
[GithubOriginalStreak](https://github.com/Naramsim/GithubOriginalStreak) which
had browser plugins for Chrome, Firefox, and Opera. After installing the plugin and
noticing it wasn't correctly reporting streak lengths, I dug into its source
code and was surprised to see it was [using github gists as a datastore for
streak information](https://github.com/Naramsim/GithubOriginalStreak/blob/1161133560347f7986d427052ce2011c32127bfb/src/store.js).
This presented a few problems:
1. Github gists aren't supposed to be used as a high performance database.
Github probably rate limits access to its data.
2. The packaged browser extensions contain read/write keys to the account that
owns the github gist. The GithubOriginalStreak repository itself doesn't have
the keys but the keys are easily extractable from the extensions anyways.
3. Neither the gist nor the code does any validation of incoming data before
the supposed gist lengths are displayed inline in the Github page.
This last problem was the most critical. A malicious attacker could have
gotten write-privileges by downloading and unpacking the extension, then
modified the gist to inject an XSS attack into someone else's browser. The
best part is that the gist contains a list of all people who use the
extension so you could target a specific person for XSS.
I talked to the author afterwards and thankfully he was receptive of the
feedback. The extension is still using Github gists but is now doing some
data validation. With [the new profile design](https://github.com/blog/2256-a-whole-new-github-universe-announcing-new-tools-forums-and-features),
extensions like these shouldn't be needed anymore.